// Validates that trying to create an encryption key with a setting of KeyDerivation enabled for a // key type that does not support Convergent or key Derivation encryption throws an exception. public void CreateEncryptionKey_ErrorsOnInvalidKeyTypeKeyDerivationSetting2(TransitEnumKeyType keyType) { string key = _uniqueKeys.GetKey(); Assert.That(() => _transitSecretEngine.CreateEncryptionKey(key, false, false, keyType, true), Throws.Exception.TypeOf <ArgumentOutOfRangeException>().With.Property("ParamName").EqualTo("keyType")); }
/// <summary> /// Used as shortcut for commonly called code in test methods of Transit Type. /// </summary> /// <param name="keyType">Type of key to make</param> /// <param name="keyDerivation">Boolean. True if you want a key that supports key derivation.</param> /// <param name="convergentKey">Boolean. True if you want a key that supports convergent encryption.</param> /// <returns>string value of the key name.</returns> public async Task <string> Transit_InitWithKey(TransitEnumKeyType keyType = TransitEnumKeyType.aes256, bool keyDerivation = false, bool convergentKey = false) { string key = _uniqueKeys.GetKey("Key"); // Create key. bool rc = await _transitSecretEngine.CreateEncryptionKey(key, true, true, keyType, keyDerivation, convergentKey); Assert.True(rc); return(key); }
// ============================================================================================================================================== /// <summary> /// Creates an encryption key with the specified name. Since encryption key parameters cannot be changed after initial creation AND vault does not /// return an error telling you a key already exists - it just returns Success, it is best to call the IfKeyExists function first to make sure the /// key you want to create will be able to be created with the values you want. /// </summary> /// <param name="keyName">This is the actual name of the encryption key.</param> /// <param name="canBeExported">Boolean: If you want to be able to export the key then set this to True.</param> /// <param name="allowPlainTextBackup">Boolean. If you want to be able to perform a plain text backup of the key, set to True.</param> /// <param name="keyType">The type of encryption key to use. Best choices are one of the RSA keys or the AES key.</param> /// <param name="enableKeyDerivation">Enables Key Derivation. Key derivtion requires that an encryption context must be supplied with each encrypt operation.</param> /// <param name="enableConvergentEncryption">Enables Convergent Encryption. Convergent encryption means that the same plaintext value will always result in the /// same encrypted ciphertext.</param> /// <returns>True if successful. However, it could also mean the key already exists, in which case the parameters you set here may not be what the key /// is set to.</returns> public async Task <bool> CreateEncryptionKey(string keyName, bool canBeExported = false, bool allowPlainTextBackup = false, TransitEnumKeyType keyType = TransitEnumKeyType.aes256, bool enableKeyDerivation = false, bool enableConvergentEncryption = false) { // The keyname forms the last part of the path string path = MountPointPath + PathKeys + keyName; string keyTypeV; switch (keyType) { case TransitEnumKeyType.aes256: keyTypeV = "aes256-gcm96"; break; case TransitEnumKeyType.chacha20: keyTypeV = "chacha20-poly1305"; break; case TransitEnumKeyType.ecdsa: keyTypeV = "ecdsa-p256"; break; case TransitEnumKeyType.ed25519: keyTypeV = "ed25519"; break; case TransitEnumKeyType.rsa2048: keyTypeV = "rsa-2048"; break; case TransitEnumKeyType.rsa4096: keyTypeV = "rsa-4096"; break; default: keyTypeV = "unknown"; break; } Dictionary <string, string> createParams = new Dictionary <string, string>(); createParams.Add("exportable", canBeExported ? "true" : "false"); createParams.Add("allow_plaintext_backup", allowPlainTextBackup ? "true" : "false"); createParams.Add("type", keyTypeV); // Convergent encryption requires KeyDerivation. createParams.Add("convergent_encryption", enableConvergentEncryption ? "true" : "false"); if (enableConvergentEncryption) { enableKeyDerivation = true; } createParams.Add("derived", enableKeyDerivation ? "true" : "false"); // Validate: if (enableKeyDerivation) { if ((keyType == TransitEnumKeyType.rsa2048) || (keyType == TransitEnumKeyType.rsa4096) || (keyType == TransitEnumKeyType.ecdsa)) { throw new ArgumentOutOfRangeException("keyType", ("Specified keyType: " + keyTypeV + " does not support contextual encryption.")); } } return(await CreateEncryptionKey(keyName, createParams)); }